Open
Bug 1235291
Opened 8 years ago
Updated 2 years ago
DLLs in download folder security hole
Categories
(Core :: Security, defect)
Tracking
()
UNCONFIRMED
People
(Reporter: maxpolk, Unassigned)
Details
(Keywords: dupeme)
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0 Build ID: 20151029151421 Steps to reproduce: Once a DLL from one site is downloaded to the "Downloads" folder, any executable downloaded from any other site afterwards, and then run, has a chance to be hijacked, due to Windows discovering DLLs in the same directory as an executable. By reusing the same directory all the time for downloads, accumulated DLLs introduce a serious attack vector, which all browsers including Mozilla keeps wide open. Reusing a single "Downloads" folder to accumulate all things downloaded ends up being a bad tradition on Windows, and this bug is opened seeking to close it. Actual results: This explains a step-by-step procedure to reproduce the problem http://textslashplain.com/2015/12/18/dll-hijacking-just-wont-die/ Expected results: Somehow each download should be in a separate folder, perhaps a subdirectory of the "Downloads" folder. Then, executables from one site won't accidentally be hijacked by DLLs from another site.
Component: Untriaged → Security
Product: Firefox → Core
Whiteboard: [DUPEME]
Comment 1•8 years ago
|
||
While Firefox users can be attacked via this method, Firefox requires user confirmation of every DLL download and does not permit the user to opt out of that prompt. As a consequence, Firefox users are considerably less susceptible to attack than Chrome and Edge users. Notably, however, there is the possibility of a blended attack, wherein Chrome or Edge drops a DLL and that DLL is later used by an executable that Firefox downloaded.
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•